Anomaly detection is often used in computer security to detect potential malicious attacks on a computing device. Traditionally, security systems may use commonly known patterns in order to match certain activities to behaviors that may indicate an attack. For example, an intrusion detection system may monitor a computing device for activities that match specific signatures of known attacks. The intrusion detection system may also determine that other behaviors are similar to how malware attacks behave and may raise an alarm for such activities.
In some cases, known malware behaviors are not available and, therefore, cannot be compared to activity on the computing device. For these cases, anomaly detection may be used to determine a baseline of normal behavior and detect when abnormal activity is present on a computing device. In anomaly detection, a security system may not need to know specific signatures in order to detect unusual activity. However, due to limited information about new threats, anomaly detection may be inaccurate in identifying behaviors that indicate an attack. Furthermore, when multiple activities need to be analyzed, detection of anomalies can become computationally complex and cause a delay in raising the alarm. Security software needs to be able to quickly and accurately detect anomalies when there is a lack of preexisting data relevant to a new attack. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for detecting anomalies that are potentially indicative of malicious attacks.